Why shouldn't I use my Mac as an administrator?

[Alrescha]

I'll repeat the point again: if you know the admin password, and enter it when prompted for, it does not matter if you are running as a limited user, or as an admin. The script you are running gains the elevation in both cases. And in either case it requires the user/admin to enter the admin password before anything happens.

I do not think anyone has said anything to the contrary. I do not understand the preoccupation with knowing the admin password. To put it as simply as possible: More bad stuff can happen when running as an admin user than when running as a normal user - without you ever typing in an admin password. If you want to minimize the chances 'bad stuff' happening, do not run as admin.

Again, the list of 'more bad stuff' may or may not be significant to you.

A.
(who has had enough of this thread - thanks for the conversation)

 

[laurihoefs]

I do not think anyone has said anything to the contrary. I do not understand the preoccupation with knowing the admin password.

I'll repeat this once more: the `bad things` you mention require user interaction.

To put it as simply as possible: More bad stuff can happen when running as an admin user than when running as a normal user - without you ever typing in an admin password. If you want to minimize the chances 'bad stuff' happening, do not run as admin.

I'll try to put it as simply as possible too: user interaction is required. A normal user account is not going to prevent 'bad stuff' from happening, if the user actively makes it happen (for example running sudo script.sh and entering the admin password).

Again, the list of 'more bad stuff' may or may not be significant to you.

Which with I partially agree. But arguing with that was not quite my point.

It was: a regular user is no more safe than an admin, if the user is not careful, and knows the admin password and uses it. The same 'bad things' can happen either way. User interaction is required.

And: the admin account is no more vulnerable to exploits than the user account is, as elevating processes or gaining access to almost anything outside the home folder is going to require a password. No exploits bypassing password prompts currently exists, neither do exploits that run without user interaction. User interaction is required.

A.
(who has had enough of this thread - thanks for the conversation)

Thank you too, it was an interesting conversation, though I'll still have to disagree with some of your points.

 

[LV426]

Simply accessing the /Applications folder is not the same as accessing system files and folders, such as library folders or /System. There has never been a single OS X exploit in the wild that can affect admin users that wouldn't also affect standard users. None.

I do wish you'd stop banging on about what you believe has never happened in the past. That's no guarantee about what might happen in the future. Government-sponsored hackers would have a field day with you.

The point is that bad guys are working all the time, and it's the identification and exploitation of an OS weakness that they're looking for. That is, a hole in the workings, including faults in the way that the OS security works. Or do you happen to know that OS X is completely fault-free? Like, you have a mathematical proof or something.

Do you remember a while ago, when just browsing to a page with some unusual characters would cause Safari to crash? That's a weakness in Safari, and bad guys love crashes. That's how they figure out how to Jailbreak devices, for example. It's just as well somebody didn't open up an attack vector that could have messed up your computer as a result of that particular flaw. And before you start praising the merits of application sandboxing, that's just another bit of software too that can have its own weaknesses.

It would be a remarkable piece of software that didn't have any weaknesses. I happen to believe on the evidence available that OS X security is extraordinarily good. But...

Admin rights open the door a little wider for compromising the security of your machine. Apple acknowledge this. So do security experts.

I don't see why I should open the door a crack when I don't need to.

 

[GGJstudios]

I do wish you'd stop banging on about what you believe has never happened in the past.

I know what has happened in the past, as do millions of others. You're welcome to prove me wrong by posting one documented instance where an OS X malware threat affected an admin user and that threat could have been prevented by running a standard user account. Just one.

That's no guarantee about what might happen in the future.

There is also no guarantee that running a standard user account will provide any protection over an admin account if and when future threats appear. It's only your perception that it may. There are plenty of vulnerabilities in OS X and any other software. Vulnerability doesn't mean an exploit has been created and released in the wild. Many vulnerabilities are patched before any exploits happen.

I don't see why I should open the door a crack when I don't need to.

So don't. You can run your Mac any way you choose, as can anyone else. Just don't try to force your preferences on others by false and misleading statements that there is a security benefit in doing things your way, because there isn't. Whether that changes at some point in the future, no one knows.

 

[laurihoefs]

I don't see why I should open the door a crack when I don't need to.

I agree, this is a perfectly reasonable way to look at it.

Admin rights open the door a little wider for compromising the security of your machine. Apple acknowledge this. So do security experts.

The linked documents are only meant and applicable to a limited range of environments and uses though, and restricting user priviledges should never replace users' common sense. It's not an end-all-solution to security, but it does not hurt either.

 

[moonman239]

I should post that I read, on some page regarding Linux, that the reasoning behind the idea of not using Windows as admin is that it's harder for malicious software to launch a huge attack on the computer. According to the page, such reasoning fails for Linux because Linux administrator profiles have less privileges than the root user.

It's worth pointing out that I can easily see a USB device on my computer. Therefore, if the hacker wants to use said device to get my password, he would have to find a flaw in the software that would allow him to install the key logger. I would also need mistake said device for a legitimate, unhacked, USB device that was supposed to be connected.

 

[ardchoille50]

I should post that I read, on some page regarding Linux, that the reasoning behind the idea of not using Windows as admin is that it's harder for malicious software to launch a huge attack on the computer. According to the page, such reasoning fails for Linux because Linux administrator profiles have less privileges than the root user.

It's worth pointing out that I can easily see a USB device on my computer. Therefore, if the hacker wants to use said device to get my password, he would have to find a flaw in the software that would allow him to install the key logger. I would also need mistake said device for a legitimate, unhacked, USB device that was supposed to be connected.

Being that I have used Linux as my sole operating system since 2001, I'd like to chime in here.

The way it works in Linux using sudo is that, if you download and run an app/script that deletes, say the kernel, the system will ask you for the admin password before the app/script is allowed to proceed. If you enter the admin password the app/script is allowed to execute. If you don't enter the admin password then nothing happens. Anything that requires system alteration requires the admin password. This part of the reason there are no active viruses for Linux.

If you're actually running things from the root account then the user isn't prompted for the admin password at all. This means the user can accidentally delete every file in the system and wouldn't realize their mistake until it was too late. This is why Linux users are told to never run as root unless they are absolutely sure of what they are doing.

There's an old saying in Linux "man who play in root eventually kill tree".

Does OS X use a similar admin/user model?

 

[laurihoefs]

Does OS X use a similar admin/user model?

One important thing to note is, that root and admin are not the same. Admin has many restrictions in place, whale root has none. By default root is disabled in OS X.

This setup is similar to what most modern Linux and BSD distributions have.

 

[ardchoille50]

One important thing to note is, that root and admin are not the same. Admin has many restrictions in place, whale root has none. By default root is disabled in OS X.

This setup is similar to what most modern Linux and BSD distributions have.

Yes, good point regarding the distinction between root and admin, I need to modify my post. Thank you for that.

Ah, good to know that OS X is set up similar to other *nix systems.

 

[macnjack]

It's worth pointing out that I can easily see a USB device on my computer. Therefore, if the hacker wants to use said device to get my password, he would have to find a flaw in the software that would allow him to install the key logger. I would also need mistake said device for a legitimate, unhacked, USB device that was supposed to be connected.

If you're referring to the USB/firewire exploit I posted above, there would not be a USB attached for you to see. The attack occurs by reading your entered password since the last power up directly from memory. This is based on the firewire protocol of direct memory access.

If you are logged in as admin, and typed in your password at login, they now have your password and a pathway to root.

In my part of the planet, I observe folks with Kensington locks shut the lid and go to the restroom, walk through the library at Uni, etc while leaving the computer in Sleep at their workstation. That's when the attack would occur.

**And please no "the first rule of security is not to give physical access." Not many people can account for 100% of the time and people around the computer and not the question asked. It's good info, but not addressing the OP.

Moonman's question was if there is any reason to run standard vs. admin. I provided a proven method that satisfied that requirement, albeit low probability.

I'm not arguing root v. admin.

I'm not espousing my personal opinion, home setup, or giving anecdotal examples.

I'm not addressing malware or trojans and how they function the same way under either account.

I am addressing the absolutes that are being thrown around this thread.

Lastly, have a gander at pwn2Own if you want to see what has occurred on OS X, via wifi, no add ons or 3rd party software, with a stock OS X. And keep in mind these are the people willing to give up their exploits for arguably low money. You can crawl around and dig up the old detailed workings if interested.

I like the thread though, hugs and kisses to all on Valentine's Eve.

 

[ardchoille50]

Correct me if I'm wrong, I'm till learning OS X. Redarding using the account that was supplied when first setting up a Mac. That account is basically the admin account, technically a user account with extra capabilities via sudo. Am I correct in my assumption?

If this is correct, then setting up a user account, other than the admin account, would require that user to log out and log in as admin in order to alter anything outside of their home dir. And, using the admin account on a daily basis provides the necessary security while alleviating the extra log out/in steps. At least that's how it works in Linux using sudo.

 

[LV426]

I know what has happened in the past, as do millions of others. You're welcome to prove me wrong by posting one documented instance where an OS X malware threat affected an admin user and that threat could have been prevented by running a standard user account. Just one.

There is also no guarantee that running a standard user account will provide any protection over an admin account if and when future threats appear. It's only your perception that it may. There are plenty of vulnerabilities in OS X and any other software. Vulnerability doesn't mean an exploit has been created and released in the wild. Many vulnerabilities are patched before any exploits happen.

So don't. You can run your Mac any way you choose, as can anyone else. Just don't try to force your preferences on others by false and misleading statements that there is a security benefit in doing things your way, because there isn't. Whether that changes at some point in the future, no one knows.

There are NO GUARANTEES ABOUT ANYTHING in respect of the workings of software, and I have never said or implied that there are. You're in a dream world if you imagine that I have.

There are NO GUARANTEES that OS X has not been hacked in the way that you suggest. The most clandestine of hackers infiltrate and exploit computers sometimes for years.

Whether that is the case or not has NO BEARING AT ALL on future malware exploits.

I am simply repeating here statements that have been made by Apple and various security experts: that Admin privileges in OS X put your security at greater risk. If you are so bold in your assertions, why don't you write to Apple and tell them to change their documentation.

This does not constitute 'forcing my preferences on others' in any way, shape or form. That's a logical leap that's consistent with your other ramblings, so no great surprise there.

 

[macnjack]

Yes. No software can gain elevated access without the user entering the admin password, even if they're logged in as an administrator. There are some here who are trying to invent a risk that doesn't exist.

This is not true. The exploits do exist as I linked above in the pwn2own competition above.

Since I won't rely on other to do the research, here is one of many examples.

Specifically, from 2011. This was on a default install Mac with no other software installed, i.e. Admin account created at OS install with password required for log on. The computer was on a wifi network that the "security team" has access to. That's it. All other settings were default.

From Dailytech article:

Luring the user to a suspect site in Safari, the VUPEN researcher remotely launched OS X's calculator app and wrote a file to the disc -- essentially paving the way for a full hijack of the machine. This was all done without the browser crashing or showing any irregularities.

He describes, "The victim visits a web page, he gets owned. No other interaction is needed."

The victim would likely think they merely clicked on a bad URL.​

The full hijack rules require the team to acquire root. This was possible because they had elevated privileges through the default admin account to remotely execute code from Safari's webkit, then create some form of memory overflow...completely undetected. The "full hijack" portion refers to the extraction of the admin password from memory. Once again, a vulnerability from running as an admin.

This particular method would not be possible on a standard user account because the remote code execution could not take place.

 

[GGJstudios]

This is not true. The exploits do exist as I linked above in the pwn2own competition above.

You've missed the context of this thread. We're talking about the threats or perceived threats to an average user running an admin account vs a standard account. You're talking about a hacking competition, which is quite different than an average user encountering malware. The hacking you described requires the direct personal attention of the hacker to attack the specific computer being hacked. Unless you're a high-value political, military or financial target, the chances of any average user's Mac being hacked is ridiculously remote. In the past 6 years of reading "My Mac was hacked!" threads in this forum, not a single one ever was.

We've already established, and it is quite well known, that like any software, OS X has vulnerabilities. Whether or not those vulnerabilites are exploited is another matter. Whether such exploits are in the wild, where an average Mac user could encounter them is yet another matter.

Unless you're entering your Mac in the pwn2own contest, there is no real-world threat that is likely to affect an average Mac user running as an admin user that wouldn't also affect a standard user.

There are NO GUARANTEES that OS X has not been hacked in the way that you suggest. The most clandestine of hackers infiltrate and exploit computers sometimes for years.

You've shifted gears and are now talking about hacking, which is different from malware. The chances of an average user having their Mac hacked is extremely remote, and has no bearing on the discussion here.

I am simply repeating here statements that have been made by Apple and various security experts: that Admin privileges in OS X put your security at greater risk.

Again, the statements you quoted from Apple were not directed to average users. You seem to keep missing that fact. If you want to believe the "security experts", or even believe that they are, in fact, experts, that's your choice.

 

[macnjack]

Apparently, Apple does not recommend using my administrator account on a daily basis. I understand that I don't need administrator privileges for some tasks. I would still like to know why I should create a separate user.

1) I am the only one who will use this computer.
2) Mac OS X requires that I type in my administrator password any time I want to do something like modify system files or settings.
3) I can see if an application is or contains malware by doing some research on the Internet.

What part of the context of this thread did I miss? He specifically asked why he should run a separate user.

You keep throwing in the malware requirement. No one else. Malware requires user interaction. This is established. This can be done and affects standard/admin accounts the same way. Not a single person disputes this. When you are presented with other scenarios, however, you dismiss them and bring up malware again.

Unless you're entering your Mac in the pwn2own contest, there is no real-world threat that is likely to affect an average Mac user running as an admin user that wouldn't also affect a standard user.

You did not read about nor research the particular exploit given. Any person logged in as default admin in OS X at the time, accessing the website setup by the security team, could be compromised. Their code was executed remotely, not on the same network. The part where i mentioned wifi network was completely arbitrary to this exploit and could have been left out. This is an example of the elevated privileges given to admin that make it more vulnerable.

As mentioned repeatedly, these security holes are fixed regular and without letting the general public know. They also exist in the wild for years without you knowing about them. Teams demonstrating them at Pwn2Own means they are in the wild.

Moonman has been given his answer but many people throughout this thread. Some great clarifications and discussion have been made, but I am done in this one.

Kisses on Valentines to you all.

 

[throttlemeister]

@gjstudios if you don't mind I'd like to point out that when it comes to security, what happened (or not) in the past is completely, totally and utterly irrelevant. Security is about may happen in the future and trying to limit risks to those future and currently hypothetical issues.

What you advocate is not locking your house until after the first burglary and you have proof burglars exist.

Personally I and others in this thread would argue you're too late by then.

 

[GGJstudios]

What part of the context of this thread did I miss? He specifically asked why he should run a separate user.

And the only real-world threat that exists outside of theories, hypothesis and hacking competitions is malware. There simply is no current hacking threat for the average user. Also, because a vulnerability exists doesn't mean it will ever be exploited. There are no OS X exploits in the wild and there has never been an OS X exploit in the wild that an average user could encounter that can affect an admin user account but not a standard account. None. Whether there ever will be is anyone's guess, but based on the past 12 years of use by over 75 million OS X users, the likelihood is extremely remote. If that microscopic possibility concerns you, you should certainly run on a standard account. If, on the other hand, you're a typical user with enough common sense to practice safe computing, you're fine running as admin.

@gjstudios if you don't mind I'd like to point out that when it comes to security, what happened (or not) in the past is completely, totally and utterly irrelevant.

That's not true at all. Past history is quite relevant in determining appropriate protection moving forward. For example, there have in the past been several threats that capitalized on vulnerabilities in Java in the browser. For that reason, we now know it's wise to leave Java disabled in the browser unless visiting a trusted site, and Apple has even updated OS X to do that automatically. In the past, there have been exploits that were disguised as application updates. Based on that history, we now know it's wise to only get updates from within an app or directly from a developer's site.

As the old saying goes, "Those who cannot remember the past are condemned to repeat it."

 

[dyn]

Yes, my statement is correct. You claiming otherwise doesn't change that fact. If you want to effectively challenge it, provide proof.

No, you need to start providing proof for your claims instead of consistently requiring proof from others when they tell you are wrong. Even if the proof has been given (start reading the document that someone links to for a change!).

Also, this is standard security practice for any operating system. This is NOT a Windows thought whatsoever. If you read any UNIX/Linux book that talks about system administration you'll find this sort of advise (especially in combination with tools like sudo).

Conceiving some imagined flaw is quite different from providing factual evidence that such a flaw currently exists. Your hypothesis is not a threat until it becomes reality, which it hasn't.

The same applies for your reasoning. You are also simply claiming something is the truth without providing any evidence whatsoever.

You also seriously need to up your knowledge about security measures in a UNIX environment such as OS X and security attacks in general. Running malicious software is only part of the deal. If the account is able to read and write in certain areas without needing to provide a password then you have a problem. There are certain areas where an ordinary user is not allowed but any admin user will be granted access without providing any password. Because the standard isn't allowed you need to provide an admin account who can access it. That is an additional layer of security which is what we are talking about. So no, your statement is definitely not true at all.

Having access to a system is so much more than just being able to run an application. That is why we have user accounts, groups, ACL, etc. in the first place. Security isn't just one thing, it is an entire set of measurements. The entire point of having security is looking at what you need and making decisions based on that.

Check the various hack attacks done on webservers. There are many that used the fact that they could write to other places without needing passwords or specific accounts. It is like going up the stairs: step by step.

If an admin does something that requires admin priviledges, an admin password is requested.
If a user does something that requires admin priviledges, an admin password is requested.
How is one scenario more secure than the other?

Difference in rights that do not require the password of an admin user. The admin user is not just an ordinary user with the ability to use something like sudo. The admin user is an elevated user account with the ability to use something like sudo. This means that it has a bit more rights by default, without needing a password, than an ordinary user.

The problem in this case is that OS X is aimed at single user use. It doesn't really count on having more than 1 user (which is what Windows does as well). It does support more than 1 and it has really good support for that too but it is not what it is expecting. There are more things in OS X that give this kind of setup away. Take a look at the ACL on /Users. You can look in others users homedirs. In some countries this is a breach of privacy law. Obviously it doesn't go as far for a home computer. The difference in security doesn't stop with the ACL btw.

One thing you really should do is check the security fixes Apple lists on: https://support.apple.com/kb/HT1222 Dig through them and you'll see some bugs that are aimed at admin users. A very recent one is the sudo password caching bug: an ordinary user isn't allowed to use sudo thus you need to su into an admin account and then use sudo; alternatively you can use sudo -k instead to not cache the password but you need to remember this, forgetting it 1 time is all it takes. I urge anyone to make his/her own risk assessment and decide what measures they need/want.

Btw deleting something from say /Applications can also be considered as malicious. Something is malicious if it does something willingly and knowingly that will break something (not being able to run a certain app is exactly that).

Lastly: running as ordinary user is just a useful thing to do because it will ask you for the username/password of an admin user when some system change will need to be made. It is more like a reminder for the user and can be used to prevent something like accidentally deleting an application.

And the only real-world threat that exists outside of theories, hypothesis and hacking competitions is malware. There simply is no current hacking threat for the average user.

There are no CERT/CSIRT's that will support your claim because they don't stick their heads in the sand. They know this happens and they have a lot of evidence. This IS a real-world threat. What you are doing here is denying the existence of botnets, malware scanners, etc. Botnets need machines, they don't care what they are. Same with something like the flu. The flu doesn't care who you are, how much money you have, where you live, etc. That's why we have flu shots.

 

[Traverse]

Please link to that recommendation.

There is zero benefit to running on a standard vs administrator account if you are the only user on your Mac. That's a carryover from Windows mentality.


If software needs to install in areas that require the admin password, the password is requested even if the user is logged in as an administrator. There is no added protection provided by running a standard account.

But I have someone who won't want a password. I was going to give them a standard account that would log in automatically and retain an Admin password for myself to prevent them from installing anything.

This would work, correct?

 

[GGJstudios]

But I have someone who won't want a password. I was going to give them a standard account that would log in automatically and retain an Admin password for myself to prevent them from installing anything.

This would work, correct?

Yes, that would work.

 

[MacsRgr8]

Here is what Apple says :

Unless you need administrator access for specific system maintenance tasks that cannot be accomplished by authenticating with the administrator’s account while logged in as a normal user, always log in as a nonadministrator user.

Log out of the administrator account when you are not using the computer as an administrator. Never browse the web or check email while logged in to an administrator’s account.

Page 119 : https://ssl.apple.com/support/security/guides/docs/SnowLeopard_Security_Config_v10.6.pdf

LOL, when you setup and account for the first time on a Mac, you are the 501-user, i.e. the first administrator.
All ordinary Mac users are 501 users....

 

[fisherking]

seriously? who ISN'T the admin on their default OS X setup?

if i install something, i have to enter my password. if i were a non-admin user, i'd have to enter an admin name AND password. either way, i have to enter SOMETHING.

admin is fine, logical, simple. have been running that way since 10.2....

 

[dyn]

LOL, when you setup and account for the first time on a Mac, you are the 501-user, i.e. the first administrator.
All ordinary Mac users are 501 users....

Quite funny but they had to make this trade off. Think about it: if you need to remember a password that is at least 30 characters, how would you do it? You don't because you can't. What happens in cases like these are workarounds. Lots of people will write down the password. In the end such a security policy is less secure than a policy that defines a minimum of 8 characters. Same happens with the admin vs normal user. Sometimes you have to lower the bar in order to make things secure. A very unnatural thing to do.

 

[SlCKB0Y]

Please read the earlier posts in this thread. It has already been established that the document that you're quoting from is not intended for the average Mac user.

Your logic is flawed - just because that particular document is not aimed at novice users does not mean that all the information and advice contained within it is not applicable to novice users.

The principle of least privilege is a fairly fundamental rule of IT security.

----------

No OS X exploit has ever been released in the wild that capitalizes on any difference between running a standard vs admin user account. Just because exploits in general have happened or may happen does not mean they have or will happen with regard to which type of user account is involved.

Why does something have to have occurred before for it to be considered a risk? That doesn't make any sense at all. As long as a scenario is possible and has a detrimental outcome, it is a risk.

 

[GGJstudios]

Your logic is flawed - just because that particular document is not aimed at novice users does not mean that all the information and advice contained within it is not applicable to novice users.

The principle of least privilege is a fairly fundamental rule of IT security.

My logic is just fine. Among those arguing that everyone should be running a non-admin account as their regular account, not one single example has been given of a real-world threat that can affect an admin user that wouldn't also affect a standard user.

Aside from theories, hypotheses, arranged hacking competitions and other things that the masses of OS X users would never be exposed to in normal use, name one instance of a vulnerability that was actually exploited that affected admin users that didn't also affected standard users. There simply are none and there have never been any since OS X was introduced.

If you want to run a non-admin account, do it. There is nothing wrong with others (the vast majority of OS X users) to use an admin account as their usual account.